Component

Implementations have been validated as conforming to individual components of FIPS approved and NIST recommended cryptographic algorithms, as specified in the associated publications, using tests described in the associated validation system (VS) documents.

Formerly validated implementation capabilities that are no longer approved are identified by strikethrough text.

RNG

Implementations have been validated as conforming to the various Random Number Generators (RNG) as specified in Federal Information Processing Standard (FIPS) 186-2, Digital Signature Standard (DSS), ANSI X9.62-1998, Public Key Cryptography for the Financial Services Industry: Elliptic Curve Digital Signature Algorithm (ECDSA), and ANSI X9.31-1998, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), using tests described in the Random Number Generator Validation System (RNGVS).

Formerly validated implementation capabilities that are no longer approved are identified by strikethrough text.

In October of 2017 it was discovered that CAVS was testing for the wrong algorithm identifier for SHA-512/256 as part of the ANS X9.31 padding scheme for RSA signature generation and verification. The incorrect byte value of "0x40" was used instead of the correct value of "0x3a". The testing of the incorrect value is purely an interoperability concern, meaning that differing implementations may not be able to correctly verify signatures generated using different algorithm identifiers, and this error has no impact on the security of the signatures relative to the choice of algorithm identifiers.

In order to not invalidate any existing long-lived signatures by prior implementations, CAVP will permit implementations to verify signatures with the "0x40" algorithm identifier, and in order to interoperate with systems using the incorrect algorithm identifier implementations may choose to generate signatures with the "0x40" algorithm identifier. Both of these options are considered deprecated and will not be tested for by the CAVP program but neither will they be disallowed.

For the ANS X9.31 padding scheme implementations will be annotated with the SHA-512/256 algorithm identifier they were tested for which is either "0x40" or "0x3a". All future implementations will only be tested for the correct value of "0x3a" going forward.